Microsoft Announces Azure DevOps Bug Bounty Program

Better days are ahead for researchers as software
giant Microsoft has launched a bug bounty program for the Azure cloud services
and servers.

With rewards up to $20,000, Microsoft has
announced that the program is open for researchers to discover and sniff out
vulnerabilities in the Team Foundation Server and the Azure DevOps service – a
platform meant for code development and collaboration purposes.

Azure DevOps is used by developers the world over
for testing tools, package and artifact creation, project Git repo access, test
pipelines, and other code related projects.

Microsoft disclosed in a blog post that the goal
of the bounty program was to identify significant undiscovered flaws that have
a demonstrable impact on the security of their huge customer base. The impact
may include Elevation of Privilege, Spoofing, Information Disclosure,
Tampering, Tampering, and Remote Code Execution.

Director of Engineering for Azure DevOps, Buck
Hudges, announced that the company will continue to engage code reviews
regularly to inspect the security of their infrastructure. The company will
also be assembling a red team regularly to attack their own system to notice
the weak links and vulnerabilities.

The bug bounty rewards range from $500 to the
grand prize of $20,000. The maximum prize is rewarded to remote code execution
discovery. But depending on the severity of the vulnerabilities discovered
(high, medium, low), some of the payouts are pegged at $10,000, $15,000 and
$20,000.

Microsoft also noted that higher prizes are also
possible but it will be based on the entry nature and quality and the company’s
sole discretion.

The company tasked researchers to provide a video
or essay documenting their discoveries, together with a Proof-of-concept (PoC)
to enable their in-house engineers to reproduce the bug.

Microsoft isn’t the only tech company to organize
bounty programs such as this. Only last year, Intel offered up to $250,000 for
identification of high-severity flaws. Google and Facebook had also opened
bounty programs to developers to spot the flaws in their systems.

Microsoft currently runs 9 other bounty programs,
the highest being awarded for vulnerabilities in Hyper-V ($250,000).